$ scanimage -L
device `epkowa:usb:001:007' is a Epson L355/L358 flatbed scanner
device `v4l:/dev/video0' is a Noname Integrated_Webcam_HD: Integrate virtual device
device `epson2:libusb:001:007' is a Epson PID 08A8 flatbed scanner
But it is not being found in the network. I have checked and it works in archlinux.
For my epson EcoTank (wireless), I had to use all the below config. services.printing and services.sane are quite obvious, but services.avahi could be the missing part in your config. It allows detection of device over the network in a protocol that the driver probably expects.
I guess you could use wireshark to detect the ports that are used. But it could be that the port is not always the same. It may be simpler to disable the firewall on the local network, or to allow anything from the printer IP.
I know this is not much help, but it’s the best advice I can provide.
From  it looks like iscan-network-nt + sane-epson2 should be the solution, but we only package iscan-network-nt as part of epkowa. It may be a good idea to see if we can get iscan-network-nt + sane-epson2 working, but that would require more tinkering.
For auto-discovery, the epson2 backends sends a UDP broadcast to port 3289. I guess that the response is filtered by the firewall because the sender isn’t the broadcast address itself. In the case where you configure the scanner device manually, the device is addressed directly, therefore connection tracking rules apply and let the response through.
How to do that in configuration.nix?
It works without this in both archlinux and fedora 31.
Seems like the way to go is to address the scanner directly by ip, provided that this ip remains stable thanks to your local DHCP. See how to do that in the man pages here. That would avoid the discovery issues.
From the source we can see that indeed a broadcast is sent for discovery, and a reply expected on the same port. I have no idea how to allow that on a firewall.
I guess you will have to go with networking.firewall.extracommands and something like the following (but I am no iptable guru, so this may not be a correct iptables rule per se, and the OUTPUT rule may not be needed.)
networking.firewall.extracommands = ''
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
iptables -A OUTPUT -d XXX.XXX.XXX.XXX -j ACCEPT
My scanner already receives the same IP from the local DHCP server (a wireless router). But it is not possible to edit the epson2.conf configuration file because it is installed read only in the nix store, and the sane module does not offer any means of changing it. This is a weak point of the sane module that maybe should be addressed.